As we enter 2017, it’s natural to contemplate the future and look for signs of things to come. Sometimes, however, you don’t have to search too hard. Sometimes, these “signs” hit you like a ton of bricks. This is how it was for Imperva when, just ten days before the year’s end, they found themselves mitigating a 650 Gbps (Gigabit per second) DDoS attack—the largest on record for their network.

This was a fitting end to a year of huge DDoS assault, nasty new malware types and massive IoT botnets. What’s more, it showed exactly where things are heading next on the DDoS front.

The attack began around 10:55 AM on December 21, targeting several anycasted IPs on the Imperva Incapsula network. It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies. And so, lacking any better option, the offender turned his attention to the service that stood between him and his target.

The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).

Both attack bursts originated from spoofed IPs, making it impossible to trace the botnet’s actual geo-location or learn anything about the nature of the attacking devices.

So far, all of the huge DDoS attacks of 2016 were associated with the Mirai malware. However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants was used for this assault.